Currently, a growing number of web applications require a client to carry out an authentication process prior to being granted access, and prior to being assigned with an application session. In the authentication process a client declares its identity to the system (“UserId”) together with a proof of that identity (usually password based). The same identity must be presented for each application session involving a specific client.
In the related art there are at least two techniques used to perform authentication in web applications. The first technique is based on the authentication protocol semantics described in the Hypertext Transfer Protocol Request for Comments (HTTP RFC). In this technique the protected application responds with a 401 error code whenever authentication is required, the client then sends a request with the proper values in the “Authorization” header field and is authenticated by the application. If the application fails to authenticate the client it responds again with a 401 error (or a 403 error).
The second technique, also known as “form authentication”, is more commonly used and relies on HTML forms in which the client types the UserID and password. The form is submitted to a specific module in the web application (using a HTTP request). The module evaluates the client's credentials and responds accordingly. In both techniques, once an authentication is successful, the client is not required to resend the credentials throughout the rest of the application session. Specifically, the server internally associates the session identifier sent to the user (in the form of a cookie) with the identification token representing that user.
Web application security systems are required to be able to correlate multiple requests that constitute a single attack. Traditional techniques, taken from network security domain, rely on the source IP address of the request. This type of correlation is inadequate in the domain of web applications because of the prevailing use of network address translation (NAT), on one hand, and the ability of an attacker to switch IP addresses quickly during an attack, on the other hand. Attacker can switch IP addresses either by using proxies, dial-up connection, or any other techniques. More advanced protection techniques rely on the notion of application session as maintained by the web server using some mechanism for keeping session for HTTP requests (e.g. cookies). While these are more adequate techniques, they fail to provide a robust solution since session creation is controlled by the client rather than the server. For example, a client may refuse to send an existing cookie and by that invoke the generation of a new session with a new cookie by the server. Therefore, it would be advantageous to provide a more robust correlation mechanism for web application protection.